Http 9url.in

[Ermelindo Klatt]

Thisdocument describes an API proposed by the International ImageInteroperability Framework (IIIF) group for the delivery of images via astandard http request. The IIIF API specifies a web service that returnsan image in response to a standard http or https request. The URL canspecify the region, size, rotation, quality characteristics and formatof the requested image. A URL can also be constructed to request basictechnical information about the image to support client applications. The IIIF API was conceived of to facilitate systematic reuse of imageresources in digital image repositories maintained by cultural heritageorganizations. The API could be adopted by any image repository orservice, and can be used to retrieve static images in response to aproperly constructed URL.

The IIIF Image API can be called in two forms: one to request an image,and a second to request techincal information about the image. Bothforms convey the request's information in the path segment of the URI,rather than as query parameters. This makes responses more easily ableto be cached, either at the server or by standard web-cachinginfrastructure. It also permits a minimal implementation usingpre-computed files in a matching directory structure.

The API places no restrictions on the form of the identifiers that aserver may use or support, although the identifier MUST be expressed asa string. All special characters (e.g. ? or #) MUST be URI encoded toavoid unpredictable client behaviors. The URL syntax relies upon slash(/) separators so any slashes in the identifier MUST be URI encoded(aka. percent-encoded, replace / with %2F ). See discussion in Section9 - URL Encoding and Decoding.

The rotation value represents the number of degrees of clockwiserotation from the original, and may be any floating point number from 0to 360. Initially most services will only support 0, 90, 180 or 270 asvalid values.

In most cases a rotation will change the width and height dimensions ofthe returned image file. The service SHOULD return an image file thatcontains all of the image contents requested in theregion and size parameters, even if the dimensions of thereturned image file are different than specified in the size parameter.The image contents SHOULD NOT be scaled as a result of the rotation,and there SHOULD be no additional space between the corners of therotated image contents and the bounding box of the returned image file.

The quality parameter determines the bit-depth of the delivered image.The quality value of native requests an image of the same bit-depth asthe source image. Values other than native are requested transformationsof the bit-depth of the source image.

The sequence of parameters in the URL is intended to express the orderin which image manipulations are made against the original. This isimportant to consider when implementing the service because applying thesame parameters in a different sequence will often result in a differentimage being delivered. The order is critical so that the applicationcalling the service reliably receives the output it expects.

Servers may transmit HTTP responses with status codes 200, 302 and 304when the request has been successfully processed. If the status code is200, then the entity-body MUST be the requested image or informationresponse. If the status code is 302 or 304, then the entity-body isunrestricted, but it is RECOMMENDED to be empty. If the status code is302, then the Location HTTP Header MUST be set containing the URL of theimage that fulfills the request. This enables servers to have a singlecanonical URL to promote caching of responses. Status code 304 ishandled exactly as per the HTTP specification. Clients should thereforeexpect to encounter all of these situations and not assume that theentity-body of the initial response necessarily contains the image data.

The order in which servers parse requests and detect errors is notspecified. A request will fail on the first error encountered and returnan appropriate code with more detail in the response document. Errorsare reported at the parameter level only with an option for moredetailed text.

This API does not specify whether the image server will supportauthentication or what mechanism it might use. In the case of "401Unauthorized" HTTP error response, the content of the WWW-Authenticateheader will depend on the authentication mechanism supported by theserver. If the server supports HTTP Basic or Digest authentication thenthe header should follow RFC2617, forexample:

Where URI is a template parameter that SHOULD be used if the loginserver supports redirection after login. A client MUST substitute thecurrent page URI in place of URI before presenting a login link to theuser. Note that while there is widespread agreement that the limitationof WWW-Authenticate to Basic and Digest authentication in the currentHTTP specification, there is no standard way to indicate appropriateredirection to a login screen, or convey a URI template to insert areturn URI.

An image server MAY declare different compliance levels for differentimages. If the compliance level is not indicated, then a client shouldassume level 0 compliance only. For detailed compliance definitions see -api/compliance.html.

The URL syntax of this API relies upon slash (/) separators which MUSTNOT be encoded. Clients MUST percent-encode special characters (theto-encode set below: percent and gen-delims ofRFC3986 except the colon) within thecomponents of requests. For example, any slashes within the identifierpart of the URL MUST be percent-encoded. Encoding is necessary only forthe identifier because other components will not include specialcharacters.

Additionally, if identifiers include any characters outside the US-ASCIIset then the encoding to octets must be defined consistently on clientand server, and the octets MUST be percent-encoded. Percent-encodingother characters introduces no ambiguity but is unnecessary.

Servers which are incapable of processing arbitrarily encodedidentifiers SHOULD make their best efforts to expose only imageidentifiers for which typical clients will not encode any of thecharacters, and thus it is RECOMMENDED to limit characters inidentifiers to letters, numbers and the underscore character.

This API defines a URI syntax and the semantics associated with itscomponents. The composition of URIs has few security considerationsexcept possible exposure of sensitive information in URIs or revealingof browse/view behavior of users.

Server applications implementing this API must consider possibledenial-of-service attacks, and authentication vulnerabilities based onDNS spoofing. Applications must be careful to parse incoming requests(URIs) in ways that avoid overflow or injection attacks.

The production of this document was generously supported by a grant fromthe Andrew W. Mellon Foundation.

The full IIIF Working Group deserves thanks and recognition for theircontinuous engagement, innovative ideas and feedback. Members of thegroup not listed as authors or editors above include Aquiles AlencarBrayner, Richard Boulderstone, Svein Arne Brygfjeld, Tom Cramer, MarkusEnders, Renhart Gittens, David Golding, Tim Gollins, Peter James, DeanKrafft, Matt McGrattan, Stephane Pillorget, Johan van der Knijff, RomainVassilieff, and William Ying.

The inspiration, use cases and initial outline for this API originatedfrom the work of the Digital Medieval Manuscript InteroperabiltiyTechnical Council.

Attendees of the third annual LibDevConX workshop gave an early draft ofthis API a thoughtful hearing and provided essential feedback to ensurethat the API fit with diverse use cases and technical environments.

Many thanks to Matthieu Bonicel, Kevin Clarke, Mark Patton, Lynn McRae,Willy Mene, Brian Tingle, Ian Davis and Scotty Logan for your thoughtfulcontributions to the effort and written feedback.

A web server is a network service that serves content to a client over the web. This typically means web pages, but any other documents can be served as well. Web servers are also known as HTTP servers, as they use the hypertext transport protocol (HTTP).

If you are upgrading from a previous release of Red Hat Enterprise Linux, you have to update the httpd service configuration accordingly. This section reviews some of the newly added features, and guides you through the update of prior configuration files.

Follow the procedure if the web server should provide the same content for all domains associated with the server. If you want to provide different content for different domains, set up name-based virtual hosts. For details, see Configuring Apache name-based virtual hosts.

Apache uses the first virtual host found in the configuration also for requests that do not match any domain set in the ServerName and ServerAlias parameters. This also includes requests sent to the IP address of the server.

If the Apache HTTP Server uses the TLS 1.3 protocol, certain clients require additional configuration. For example, in Firefox, set the security.tls.enable_post_handshake_auth parameter in the about:config menu to true. For further details, see Transport Layer Security version 1.3 in Red Hat Enterprise Linux 8.

ModSecurity is an open source web application firewall (WAF) supported by various web servers such as Apache, Nginx, and IIS, which reduces security risks in web applications. ModSecurity provides customizable rule sets for configuring your server.

To reduce risks related to running web-based applications on your web server by deploying ModSecurity, install the mod_security and mod_security_crs packages for the Apache HTTP server. The mod_security_crs package provides the core rule set (CRS) for the ModSecurity web-based application firewall (WAF) module.

If the rules contained in the ModSecurity core rule set (CRS) do not fit your scenario and if you want to prevent additional possible attacks, you can add your custom rules to the rule set used by the ModSecurity web-based application firewall. The following example demonstrates the addition of a simple rule. For creating more complex rules, see the reference manual on the ModSecurity Wiki website.

3a8082e126